CWE-285—Improper Authorization
PUBLISHEDweakness recordHigh
released 2006-07-19 · last modified 2026-04-30
Metadata
- CWE ID:
- CWE-285
- 摘要:
- Class
- 结构:
- Simple
- 状态:
- Draft
- 发布日期:
- 2006-07-19
- 更新日期:
- 2026-04-30
描述
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
常见后果
- 范围:
- Confidentiality
- 影响:
- Read Application Data, Read Files or Directories
- 注释:
- An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
- 范围:
- Integrity
- 影响:
- Modify Application Data, Modify Files or Directories
- 注释:
- An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
- 范围:
- Access Control
- 影响:
- Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
- 注释:
- When access control checks are not applied consistently - or not at all - an attacker could gain privileges and execute unauthorized code or commands by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.